Author: danielrm26, Posted: Mon Apr 28, 2003 11:09 amPost subject: What is a DMZ and how do I build one? ----Eventually, if you get interested enough in Security, you are going to wonder what a DMZ is and why you should or should not have one. DMZ is an acronym that stands for De-Militarized Zone, and in the 'real' world it is the location between two hostile entities such as North and South Korea. In the Security community, however, it is a separate, untrusted network where boxes serving public services should be placed. It is a buffer zone between a completely untrusted network (like the Internet) and a relatively trusted network (like your private LAN). The primary reason for implementing a DMZ is to keep your public and private assets separated so that a compromise in the public area does not automatically result in a compromise of your private assets as well.

There are two main ways to implement a DMZ. The first is using three NICs, as follows:

1 NIC for the WAN (your gateway to the Internet; everything comes and goes through this NIC)
1 NIC for the LAN (behind this NIC is where you have all your private assets, i.e. file servers, domain controllers, questionable material collections, etc.)
1 NIC for the DMZ (this is where you put any machine that you want to allow people on the Internet to connect to, i.e. web servers, ftp servers, mail servers, game servers, etc.)

This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of both your DMZ and your LAN to lie in one system. If your machine that has all three of those NICs in it is compromised, so is your DMZ and your private network as well. Basically, you are allowing the Internet to 'touch' the very same machine that determines how secure your internal LAN is, and this is not a good thing.

The better way to do this is with three separate networks – the Internet, your DMZ, and your LAN. This is accomplished by using two firewalls – one on the border of your WAN (which handles your connection usually), and one on the border of your internal network. Let’s say that you have a broadband router (like a Netgear or Linksys) and a Linux-based firewall (like Astaro or Smoothwall). What you do is you put your router on your border (right behind your modem), and you connect the LAN side of that router to a hub or switch. To that hub or switch (your DMZ hub/switch) you use one of the ports to connect your bastion host/public server(s). This machine (or machines) run the services that you want people to be able to connect to from the outside. This may be a web site, an FTP server, or a multiplayer game like WCIII or Counterstrike. You want this machine to be hardened to some degree (preferably very well), meaning that it is completely patched and is not running anything that is vulnerable. As a general rule though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place. How to harden the servers you put in your DMZ is outside the scope of this article, but suffice it to say that you want to lock them down – no services running that don’t need to be, all updates applied, etc.

Now, to that same switch (the DMZ switch) you are going to attach another network cable that goes to your internal firewall (your Linux firewall). It is important to note that you want your strongest firewall closest to your LAN; or, putting it another way, you want your weakest firewall on your border. This may seem counterintuitive but it's usually the right way to do things. Basically, you want the most powerful and most configurable firewall protecting your LAN – not your DMZ. As for your internal firewall, it’s going to have two NICs in it – one for the DMZ side and one for the private LAN side. Connect the cable coming from your DMZ switch to the DMZ side of the internal firewall (the external interface), and on the other side of the firewall (the private LAN side) you connect a cable to another hub/switch that all of your LAN computers will connect to.

So let’s take a look at the Security that is offered by this setup. At the border you have NAT translation going on that passes only the ports that you need to in order for the public to use the servers in your DMZ. Let’s say you are running a web server, an FTP server, and a game server for a game called FooAttack. On your border router/firewall you pass ports 80, 21, and 5347 (the FooAttack server port). All other attempted connections to your external IP address drop dead at your border; only those three ports passed above are allowed through because of NAT. The nature of NAT dictates that only return traffic (traffic is part of a connection that originated from the inside of the NAT device) will be allowed back into the NAT’d network. This side effect of NAT, while not its original or main goal, is a fairly powerful Security feature. If your border device supports filtering of any sort in addition to NAT then you can further lockdown your network by restricting who can and cannot connect to the hosts in your DMZ.

That first border layer, while being good, is just one piece of the overall DMZ Security posture. The real beauty of this setup lies in what happens if someone *does* get a hold of a machine in your DMZ. Imagine that you have the setup like I laid out above, but unbeknownst to you there is a major vulnerability in the web server you are running. So here you are offering web content to the entire Internet and someone runs the proper exploit vs. your machine and roots it. Now what?

Now nothing. Your second and more powerful firewall (the one that they are still *outside* of) – does not pass *any* traffic from the DMZ inside to the LAN. (In fact, you should have it where it won’t even answer ICMP requests from DMZ machines, so the odds are they won’t even know it’s there.) And now, rather than being able to bounce around on your juicy internal LAN like they planned, they are stuck in the middle of a completely untrusted and unprivileged network that doesn’t have anything on it other than what you intended for public viewing anyway.

This is a DMZ.

Even if they did know where the internal firewall was it wouldn’t even entertain the notion of passing connection attempts from the DMZ. This internal layer of protection is NAT'd just like your first layer, only there are no ports being passed inside like from the Internet to the DMZ. Your second firewall actually has no idea what to do with packets that are designed to initiate new connections with it, so it just drops them. The only traffic that is going to make it through that firewall is traffic that you specifically request be allowed through by talking to a machine outside of that firewall, i.e. when you go to /., it will allow the web content to come *back* to you so you can view the page, but if someone tries to initiate a new connection to you, they get dropped. Both NAT and SPI afford this protection to you, each in different ways.

So, to sum it all up, imagine someone is scanning around looking for web daemons to tear up and they find yours. Most inexperienced attackers would assume that you are running something on your public IP address, as if you have your main workstation is sitting right on the Internet and it is running a web daemon. So, they connect to it, get a web page, and then scurry to dig up their favorite HTTP exploit tool that someone else wrote. What they don't know is that they are actually connecting to a private IP in your DMZ. It has no ‘real’ IP address as far as the Internet is concerned. If you didn’t pass that port at the border device then they wouldn’t have seen anything at all with their scan. But let’s say they do see your web daemon because you are passing port 80 through to your DMZ host running a web site, and it turns out it has a vulnerability in it. They run their exploit and get root on your box. This causes them tremendous joy, and they hurry to tell all their buddies because they think they’re Alan Cox. The thing is, they have little to celebrate. All they have is a barebones server with nothing of value on it – no vital info, no browsing history, no personal information, nothing. In fact, all you have on there is content that you wanted the public to see in the first place (which is also safely backed up on your internal network and/or removable media). So, they have root on the machine and ping around in your DMZ and soon find that there isn't much there. If they are smart they will do an ifconfig (or ipconfig if you swing that way) and find out they are on a private subnet - but this gains them nothing. The odds are that from there they’ll either load some trash onto your system or try and destroy it. Either way, it doesn’t matter. The moment you detect what has happened (tripwire, puresecure, etc) you simply pull the plug, reinstall the box, and restore the backup. Within a few minutes you have a brand-new system ready to go back online, and at no point during the process was your private LAN in danger. This is the benefit of running a true DMZ.

-danielrm26

Author: effortless, Location: groundedPosted: Mon Apr 28, 2003 11:48 amPost subject: ----The ultimate firewall. There is a point lost on many admins. I can hear the howls already but here goes nothing.

I instigated an audit of internet usage of a small company with DSL and 11 networked pcs and 2 macs. After 2 months it was found that of the thousand odd emails and the large number of hours of internet browsing only 40 e-mails were company relevant and there was no company relevance to the browsing apart from the boss gazing at his hosted website. The company is mainly cash based with local clients.

Where is the point of all the staff having internet access?

The network is now off the interenet and one machine not on the lan is used for all internet traffic. Personal e-mails and browsing are allowed but not very convenient. There has been an increase of productivity, if there is a problem with the internet pc it has no effect on the lan.

This may seem drastic but the company is not paying for bandwidth for the personal benefit of the staff.

Author: Bhodi, Location: NetherlandsPosted: Mon Dec 29, 2003 10:22 amPost subject: ----Is traffic coming from one of the boxes in the DMZ handled the same as traffic coming from the internet? I mean, is traffic from a compromised box in the DMZ zone more dangerous for the 'safe' part of the network then traffic coming from the internet?

Also, my router has a DMZ feature too, but I wonder if its the same situation as shown in the picture in the previous post.

Code:

INTERNET
|
Router/firewall
| |
LAN DMZ
| | |
PC PC PC
1 2 3

Is a compromised pc3 in this situation a bigger treath for PC1 and PC2 then attacks from the internet?

Author: danielrm26, Posted: Mon Dec 29, 2003 12:38 pmPost subject: ----The amount of trust is reflected in the rulesets you put on your firewall. A DMZ is supposed to house your public machines so that if they get cracked they are isolated and not able to contact your private LAN. You do this via a rule that denies all incoming new connections from the DMZ to your private LAN (or to anywhere else, as mentioned above).

So the short answer is "no". To the firewall, the Internet and the DMZ are the same -- they are just OTHER networks. It sees no difference; the distinction is made via your ruleset. To your PCs on your private LAN, there is also no attention paid to where the attack was coming from with regard to the Internet or your DMZ. Remember, to it, everything comes from the default gateway (the inside of your firewall).

It's all about the ruleset on the firewall itself. That is what defines the security of your setup as far as the firewall is concerned.

Last edited by danielrm26 on Mon Dec 29, 2003 12:51 pm; edited 2 times in total

Is traffic coming from one of the boxes in the DMZ handled the same as traffic coming from the internet? I mean, is traffic from a compromised box in the DMZ zone more dangerous for the 'safe' part of the network then traffic coming from the internet?

All outgoing traffic from the DMZ to either the internet or the internal network should be blocked unless it is part of an incoming connection.
(eg. no outgoing packets with SYN set)

Would it be to much trouble if you point me to our draw out this layout of the DMZ security settings. It would be a lot easier if I could picture what was being mentioned above.

This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.

Author: Bhodi, Location: NetherlandsPosted: Mon Dec 29, 2003 1:53 pmPost subject: ----Well, my router basically just does that, it functions as a firewall and a hub together. I can set one pc up as DMZ. For all other pc's on the lan the firewall rules on the router are active. I DO have a firewall running on the seperate pc's but that's not really necessary since almost all ports are blocked on the router. I'm still configuring this to find the optimal situation. Start with closing everything and then open the seperate ports for each service I need. This will eventually leave a firewall configuration with just a few ports open. So no need to have a fancy hardware firewall, just one that can shut everything down and let you open the specific ports that are needed and almost all routers provide that.

This is a "sandwich" DMZ -- the one that I prefer, and the one that offers more security than the "multi-NIC" approach.

Could you explain how that DMZ topology offers "more security"? The multi-nic approach would be based on the same rulesets as the two firewall DMZ. So the same rules would be applied...just on different firewalls.
The only aspect where this would provide more security (to me anyway) would be if a firewall itself was compromised. A multi-nic firewall would provide the attacker access to eveything, while a two firewall DMZ (depending on which firewall got owned) could help lessen the impact.
Let's face it though....if you're allowing your firewall to get owned...then you've got other issues you need to worry about besides your DMZ setup.

Could you explain how that DMZ topology offers "more security"? The multi-nic approach would be based on the same rulesets as the two firewall DMZ. So the same rules would be applied...just on different firewalls.
The only aspect where this would provide more security (to me anyway) would be if a firewall itself was compromised.

That's precisely the answer. If you have a firewall device doing multiple things and handling multiple networks, you have the (albeit very small) possibillty that it will be compromised.

By running the multiple firewalls rather than multiple NICs, you have multiple layers. Ideally (for the layering issue, not necessarily in general), you'd have as many different platforms in there as well, i.e. one's Check Point, one's OpenBSD and ipf, and the other is Linux/IPFILTER. This way, the key that got them through one layer doesn't get them through the next.

So, yes, it *is* more secure, but like you said, getting a firewall owned isn't supposed to be a common occurance, so the security "lost" by using the multi-NIC approach is minimal at best.

Well, my router basically just does that, it functions as a firewall and a hub together. I can set one pc up as DMZ.

I don't suggest you use this feature or be lulled into thinking of it as a DMZ at all. It's not.

All that is is a default host for the NAT functionality of your router, and it's generally not a good idea to use if you need real security. If you want to do a DMZ, get another device and chain them together like the diagram I posted above.

All that is is a default host for the NAT functionality of your router, and it's generally not a good idea to use if you need real security.

Ah well, I don't need/use a DMZ anyway. I was just wondering how good some of the functionality on my router really was. I only use my router as a central internet connection point, dhcp server, some portforwarding and a basic firewall.

but thnx for the clearification

Author: ZCorker, Posted: Sun Jan 04, 2004 10:38 pmPost subject: Will a DMZ stop SNORT ??? ----Will a DMZ stop the snort program? I found out about Snort for the first time while review something in Security Forums, but forgot where the link was. I would appreciate if someone would forward me the link. I think the link that I reviewed also led me to another program that was like Snort.

Zcorker
ICQ 118179171
<bd652(at)scn.org>

Author: alt.don, Posted: Sun Jan 04, 2004 11:14 pmPost subject: ----A DMZ has nothing to do with Snort actually. DMZ is a topology while Snort is an intrusion detection system. I trust this clarifies. Also please give google a shot on some of these questions. Thanks!

Author: yaoweihung, Location: Dallas, TX.Posted: Wed Jul 21, 2004 10:07 pmPost subject: What to do in details ----Thanks for the efforts you had put into this great document. I am planning to implement this into our network soon, but I have some questions about the details…

We are using Check Point NG to do the minimum protection on our internal network. There is no DMZ setup yet. What I plan to do is buy a Cisco PIX 506 and create a two firewall model. The Web server and Exchange server will be put into the DMZ. The SQL server and other servers will be protected behind the internal firewall.

The questions are:

1. Which Firewall product is more powerful, Check Point NG or Cisco PIX 506? I would like to know which Firewall I should setup as internal Firewall.

2. If I want to setup a VPN for remote management purpose, where this VPN server should goes and how to setup these two Firewall?

3. From your demonstration, you have both DMZ and internal Firewall connected to the e same hub/switch. Would it be better if I have dual NICs in all servers located inside DMZ? By doing this, I have my external Firewall connected to one subnet address (say, 192.168.1.xxx) and my internal Firewall connected to another subnet address (say, 192.168.2.xxx).